Lab 2.1 - Reading Assembly Code Part 2

Based on the previous labs, you should be able to answer the questions in this lab. This lab is ‘instructor-assisted’ so you’ll be given all the answers by the instructor and also shown how to get them.

Part 1

Task 1

Read the code below.

  1. Explain line 3.
  2. Explain line 4.
  3. Explain line 5.
.text:00402024 sub_402024      proc near               ; CODE XREF: sub_40159E+29↑p
.text:00402024                                         ; sub_401678+2F↑p
.text:00402024                 push    esi
.text:00402025                 mov     esi, eax
.text:00402027                 jmp     short loc_40202D

Task 2

  1. Read the code below.
  2. Explain line 3.
  3. Explain line 4.
  4. Explain line 5.
  5. Explain line 6.
.text:0040202D                 movsx   eax, byte ptr [edx]
.text:00402030                 movsx   ecx, byte ptr [esi]
.text:00402033                 inc     edx
.text:00402034                 inc     esi
.text:00402035                 cmp     ecx, eax
.text:00402037                 jz      short loc_402029
.text:00402039                 sbb     eax, eax
.text:0040203B                 and     eax, 2
.text:0040203E                 dec     eax
.text:0040203F                 pop     esi
.text:00402040                 retn

Task 3

Read the code below.

  1. Explain line 5.
  2. Explain line 6.
.text:00402065                 mov     eax, edi
.text:00402067                 pop     edi
.text:00402068                 pop     esi
.text:00402069                 pop     ebp
.text:0040206A                 retn    4
.text:0040206A sub_402045      endp

Task 4

Read the code below.

  1. Explain line 10.
  2. Explain line 11.
  3. Explain line 25
  4. What function is being called ?
  5. What is the purpose of this section of code?
text:0040355C Data            = byte ptr -31Ch
.text:0040355C Buffer          = byte ptr -218h
.text:0040355C ValueName       = byte ptr -114h
.text:0040355C dwDisposition   = dword ptr -10h
.text:0040355C Type            = dword ptr -0Ch
.text:0040355C cbData          = dword ptr -8
.text:0040355C phkResult       = dword ptr -4
.text:0040355C arg_0           = dword ptr  8
.text:0040355C
.text:0040355C                 push    ebp
.text:0040355D                 mov     ebp, esp
.text:0040355F                 sub     esp, 31Ch
.text:00403565                 push    ebx
.text:00403566                 push    esi
.text:00403567                 lea     eax, [ebp+ValueName]
.text:0040356D                 push    eax
.text:0040356E                 mov     [ebp+Type], 1
.text:00403575                 xor     bl, bl
.text:00403577                 call    sub_403B1D
.text:0040357C                 push    eax
.text:0040357D                 call    sub_40344D
.text:00403582                 lea     eax, [ebp+dwDisposition]
.text:00403585                 push    eax             ; lpdwDisposition
.text:00403586                 lea     eax, [ebp+phkResult]
.text:00403589                 push    eax             ; phkResult
.text:0040358A                 xor     esi, esi
.text:0040358C                 push    esi             ; lpSecurityAttributes
.text:0040358D                 push    2001Fh          ; samDesired
.text:00403592                 push    esi             ; dwOptions
.text:00403593                 push    esi             ; lpClass
.text:00403594                 push    esi             ; Reserved
.text:00403595                 push    offset aSoftwareMicros_0 ; "SOFTWARE\\Microsoft\\Windows\\CurrentVe"...
.text:0040359A                 push    80000001h       ; hKey
.text:0040359F                 call    ds:RegCreateKeyExA
.text:004035A5                 test    eax, eax
.text:004035A7                 jnz     loc_403644

Task 5

Read the code below.

  1. Explain line 3.
  2. What is common in lines 3 - 6?
  3. What’s function is being called?
  4. Explain line 9.
.text:00402B87                 mov     [ebp+UrlComponents.lpszUrlPath], esp
.text:00402B8A                 lea     eax, [ebp+UrlComponents]
.text:00402B8D                 push    eax             ; lpUrlComponents
.text:00402B8E                 push    80000000h       ; dwFlags
.text:00402B93                 push    esi             ; dwUrlLength
.text:00402B94                 push    dword ptr [edi] ; lpszUrl
.text:00402B96                 call    ds:InternetCrackUrlA
.text:00402B9C                 test    eax, eax
.text:00402B9E                 jz      loc_402CF1

Part 2

All tasks in this part are instructor-lead. There will be a demo at the start of each task.

Task 1

Load the file asm_sam1 in IDA Pro and answer these questions:

  1. What type of file is it?
  2. What is the purpose of this application?
  3. What is/are main Win API calls in this application?
  4. What is the external filename mentioned in this application?

Task 2

Load the file asm_sam2 in IDA Pro and answer these questions:

  1. What type of file is it?
  2. What is the purpose of this application?
  3. What is/are main Win API calls in this application?
  4. What is the external filename mentioned in this application?

Task 3

Load the file asm_sam3 in IDA Pro and answer these questions:

  1. What type of file is it?
  2. What is the purpose of this application?
  3. What is/are main Win API calls in this application?
  4. What is the url mentioned in this application?

Task 4

Load the file asm_sam4 in IDA Pro and answer these questions:

  1. What type of file is it?
  2. What is the purpose of this application?
  3. What is/are main Win API calls in this application?
  4. What is Registry Path mentioned in this app?
  5. What is the value being set to?
  6. What is the app being added to the registry?
  7. What is the value-name being added?

You have now completed this lab. Add all notes to the Workshop Notes doc.